Aciid/gist:97ce21f75fe56e64b8567c653078f876

## gistfile1.txt
```
Step CA existing PKI

1.run on your workstation
step certificate create "ca.internal.domain.tld" intermediate_ca.csr intermediate_ca_key --csr

2.run on windows root-ca
certreq -submit -attrib "CertificateTemplate:SubCA" intermediate_ca.csr intermediate_ca.crt

3.re-submit, if necessary
certutil -resubmit n

4.retrieve, if necessary
certreq -retrieve n

5.move created crt file back to step-ca folder
~/.step/certs/intermediate_ca.crt

certs/root_ca.crt replace with your issuer CA crt subsequent step
secrets/root_ca_key delete this unnecessary private key
certs/intermediate_ca.crt is your intermediate CA cert from earlier step
secrets/intermediate_ca_key is your intermediate signing key from earlier step

Export Intermediate CA certificate from your PKI in DER/CRT format root_ca.cer ( by default )

Convert DER to CRT using openssl, if necessary
openssl x509 -inform DER -in root_ca.cer -out root_ca.crt

copy root_ca.crt to ~/.step/certs/root_ca.crt

Restart step CA container / standalone after changes

step-ca ~/.step/config/ca.json

Create a test certificate in standalone mode
step ca certificate "test.internal.domain.tld" test.internal.domain.tld.crt

Create ACME provisioner
step ca provisioner add acme-smallstep --type ACME

Restart step CA container / standalone after adding the new provisioner

step-ca ~/.step/config/ca.json

Create ACME certificate using provisioner ( domain must be subdomain of internal.domain.tld )

$ step ca certificate test2.internal.domain.tld test2.crt test2.key --provisioner acme-smallstep --san test2.internal.domain.tld
✔ Provisioner: acme-smallstep (ACME)
Using Standalone Mode HTTP challenge to validate test2.internal.domain.tld .. done!
Waiting for Order to be 'ready' for finalization .. done!
Finalizing Order .. done!
✔ Certificate: test2.crt
✔ Private Key: test2.key
```
	```
	Step CA existing PKI

	1.run on your workstation
	step certificate create "ca.internal.domain.tld" intermediate_ca.csr intermediate_ca_key --csr

	2.run on windows root-ca
	certreq -submit -attrib "CertificateTemplate:SubCA" intermediate_ca.csr intermediate_ca.crt

	3.re-submit, if necessary
	certutil -resubmit n

	4.retrieve, if necessary
	certreq -retrieve n

	5.move created crt file back to step-ca folder
	~/.step/certs/intermediate_ca.crt

	certs/root_ca.crt replace with your issuer CA crt subsequent step
	secrets/root_ca_key delete this unnecessary private key
	certs/intermediate_ca.crt is your intermediate CA cert from earlier step
	secrets/intermediate_ca_key is your intermediate signing key from earlier step

	Export Intermediate CA certificate from your PKI in DER/CRT format root_ca.cer ( by default )

	Convert DER to CRT using openssl, if necessary
	openssl x509 -inform DER -in root_ca.cer -out root_ca.crt

	copy root_ca.crt to ~/.step/certs/root_ca.crt

	Restart step CA container / standalone after changes

	step-ca ~/.step/config/ca.json

	Create a test certificate in standalone mode
	step ca certificate "test.internal.domain.tld" test.internal.domain.tld.crt

	Create ACME provisioner
	step ca provisioner add acme-smallstep --type ACME

	Restart step CA container / standalone after adding the new provisioner

	step-ca ~/.step/config/ca.json

	Create ACME certificate using provisioner ( domain must be subdomain of internal.domain.tld )

	$ step ca certificate test2.internal.domain.tld test2.crt test2.key --provisioner acme-smallstep --san test2.internal.domain.tld
	✔ Provisioner: acme-smallstep (ACME)
	Using Standalone Mode HTTP challenge to validate test2.internal.domain.tld .. done!
	Waiting for Order to be 'ready' for finalization .. done!
	Finalizing Order .. done!
	✔ Certificate: test2.crt
	✔ Private Key: test2.key
	```